Lightlesscan

Malware updated a year ago (2024-11-29T14:45:10.617Z)

Download STIX

Preview STIX

LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in malicious capabilities compared to its predecessor, with ESET's senior malware researcher, Peter Kálnai, noting that it mimics the functionalities of a broad range of native Windows commands. This allows for discreet execution within the RAT itself, making detection and analysis of attacker activities more challenging. The threat actor initially gained access to company systems through a spear-phishing attack masquerading as a recruiter for Facebook parent company Meta. Once inside the system, they deployed the LightlessCan malware. One of the most notable aspects of this RAT is its ability to mimic commands like ping, ipconfig, systeminfo, sc, net, and others with a hardcoded "The operation completed successfully" string as output. This obfuscates the reality of what the RAT is doing, adding another layer of complexity to its operations. ESET's analysts believe that LightlessCan is based on the source code of BlindingCan due to the significant preservation of the order of shared commands, despite some differences in their indexing. In developing LightlessCan, Lazarus may have reverse-engineered the closed-source system binaries to add additional functionality to the RAT. In a recent attack documented by ESET, LightlessCan demonstrated support for 68 commands, although only 43 appear to be implemented. The discovery of this malware came after Lazarus Group impersonated a Meta recruiter on LinkedIn to target a Spain-based aerospace firm with the LightlessCan malware.

Description last updated: 2024-05-04T16:53:28.826Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Payload

Rat

Windows

Eset

Malware

Downloader

Implant

Operation Dr...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The BLINDINGCAN Malware is associated with Lightlesscan. BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "Li	Unspecified	5

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Lightlesscan. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati	Unspecified	3

Source Document References

Information about the Lightlesscan Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	18 days ago	Gotta fly: Lazarus targets the UAV sector
Securityaffairs	a month ago	Lazarus targets European defense firms in UAV-themed Operation DreamJob
CERT-EU	2 years ago	LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
CERT-EU	2 years ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	2 years ago	North Korea's Lazarus Group upgrades its main malware
CERT-EU	2 years ago	North Korean hackers target S.Korea’s shipbuilders
CERT-EU	2 years ago	Trojanized VNC apps leveraged in defense-targeted Lazarus Group attacks
CERT-EU	2 years ago	Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU	2 years ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	2 years ago	Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company
BankInfoSecurity	2 years ago	Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU	2 years ago	In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
ESET	2 years ago	How Lazarus impersonated Meta to attack a target in Spain – Week in security with Tony Anscombe
DARKReading	2 years ago	North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org
Securityaffairs	2 years ago	North Korean Lazarus targeted a Spanish aerospace company
CERT-EU	2 years ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	2 years ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	2 years ago	Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
CERT-EU	2 years ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company